Weekly Blockchain Security Report by Fairyproof- Apr 18 to Apr 24
During the week from April 18 to April 24, 2022, security incidents that happened in the crypto space can be categorized into security…
During the week from April 18 to April 24, 2022, security incidents that happened in the crypto space can be categorized into security hacks and rug pulls.
Here is a list of the security hacks:
1. ZEED
On April 21, ZEED, a DeFi application deployed on the BNB Chain was attacked.
The attacker’s address was 0xEc14207D56E10F72446576779d9b843e476e0fB0 on the BNB Chain.
The attacking contract was deployed at 0x05e55d051AC0a5fb744E71704a8fA4Ee3B103374 on the BNB Chain.
The attacked contract was the “YEED” contract deployed at:
0xe7748FCe1D1e2f2Fd2dDdB5074bD074745dDa8Ea on the BNB Chain.
The hash value of the attack transaction was:
0x0507476234193a9a5c7ae2c47e4c4b833a7c3923cefc6fd7667b72f3ca3fa83a
Crypto assets valued at around $1 million were exploited in this incident.
The vulnerability was in the “_takeReward” function in the YEED contract as follows. It was a logic error that caused the reward to be incorrectly calculated.
The function implemented an algorithm for how the “rewardFee” should be distributed. The expected behavior was that swapPair, swapPairZeed, and swapPairHo each should be given 1/2 * rewardFee, 1/4 * rewardFee, and 1/4 * rewardFee respectively. However, the implementation gave each of them the rewardFee. The pair contract had a “skim” function which could be called by any address to transfer the surplus tokens in the contract. The attacker called this function to exploit the distributed token rewards.
The attacker leveraged a flash loan to borrow 662 YEEDs and used it to launch the attack and eventually exploited 87 million YEEDs, exchanged the YEEDs for BSC-USDs, and sent them to the attacking contract. The attacker eventually destroyed the attacking contract and this means that the hacker didn’t take away the exploited tokens.
2. AKuDreams
On April 23, AKuDreams, an NFT application deployed on Ethereum was attacked.
The attacked contract was the “AkuAuction” contract deployed at:
0xf42c318dbfbaab0eee040279c6a2588fa01a961d on Ethereum.
A total of 11000 ETHs valued at around $34 million were locked permanently in its contract.
There were two vulnerabilities in this application:
The first one was in the processRefunds() function defined in the AkuAuction contract.
The “bidData.bidder” was the address where the bidder’s fee was returned. The “bidData.bidder” address was a contract address. If its fallback function reverted, the execution of the processRefunds() function might suffer from a DOS attack. And in this case, it DID suffer from a DOS attack.
The second one was in the claimProjectFunds() function defined in the AkuAuction contract.
The “require(refundProgress >= totalBids” would never hold true. This resulted in the ETHs being locked in the contract permanently. The “totalBids” should be “bidIndex”
Here is a list of the rug pulls:
1.MaxAPY
On April 20, MaxAPY Finance, a DeFi application deployed on the BNB Chain was found to be a rug-pull.
A total of 1042 BNBs valued at around $420,000 were taken away.
The project’s Twitter account has been deleted; the Telegram group has been closed.
Closing thoughts
Among these 3 incidents, 2 incidents including YEED and AKuDreams were attacked due to issues that could have been prevented if they had undergone a thorough audit. Specifically, in the AKudreams project, the second vulnerability was very likely a typo that should be easily uncovered if the contract had been carefully tested before being deployed.
A reminder to smart contract developers: smart contracts should be thoroughly tested before being deployed. A third-party performed professional audit is a must-have step before being deployed.
A reminder to crypto users: be cautious about projects which are created by teams’ lack of established reputation.
Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing